[Records Exposed: Several Terabytes of IP | Industry: Private and Public Sectors | Type Of Attack: Zero-Day]
Li Xiaoyu and Dong Jiazhi, Chinese nationals who met in a Chengu, China engineering school, were indicted by the Department of Justice on Tuesday, July 21. Their crime? Stealing several terabytes of intellectual property from 11 Western nations over the past decade.
When called upon, Li and Dong allegedly worked as freelance hackers for the Chinese government. In return, they were immune from persecution when performing private hacks for monetary value. DOJ authorities estimate that since 2009, the hacker duo has hacked hundreds of companies globally, and continue to do so. Their targets include manufacturers, energy and pharmaceutical enterprises, video game and education software companies, and most recently—and perhaps most disturbingly—Covid-19 research facilities working on a cure.
Their “rob, replicate, replace” strategy works like this: The intellectual property that is stolen is sold to Chinese enterprises. Those corporations replicate the technology and replace its Western counterpart first in the Chinese markets and eventually and ideally in the global markets. The Chinese government, who vehemently deny such allegations, appear to utilize the hackers to control its citizens. Examples include the theft of dissidents’ emails and the emails of Chinese religious leaders who are not part of the government’s sanctioned religions.
The efficiency of Li and Dong’s operation can be credited to their workflow and teamwork. Dong researches victims for Zero Day vulnerabilities and Li takes advantage of the vulnerabilities to extract data. A Zero Day vulnerability is an unknown or unaddressed weakness in computer software. Typically, a hacker can exploit the weakness in order to gain access to internal data. Further, the hacker is able to remain inside the system for prolonged periods of time undetected until the vulnerability is discovered and fixed. It is believed that China’s Ministry of State Secretary fed Zero-Day malware to Li and Dong.
Using web shells—their favorite being the “China Chopper” —the pair gains remote access to its victim’s networks in order to steal data and usernames and passwords. Such untethered and undetected access gives them time to explore the internal systems, collect data in a compressed RAR file they hid in the recycle bin, and extract data. While the DOJ doesn’t release names of those hacked, they have released some locations and the amount of data stolen in specific targeted attacks.
According to senior manager of analysis at cyber security firm FireEye, Ben Reid, this indictment comes as no surprise. “The Chinese government has long relied on contractors to conduct cyber intrusions. Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations.”
For their part, the Chinese Foreign Ministry spokesman had this to say: “The Chinese government is a staunch supporter and champion of cyber safety. We’ve been cracking down on all forms of cyber attacks and cyber crimes. We demand the U.S. side immediately stop discrediting China on the issue of cyber security.”
The DOJ has issued a reminder to corporations that all cyber crimes and cyber crime suspicions must be reported to the DOJ at the earliest sign of the breach. Even if the issue is assumed to be an HR problem or an internal glitch, involving the DOJ benefits enterprises with top-level government resources and detective work, mitigating the damage an enterprise may get into should it attempt to ignore or resolve the attack on its own. In the case of the cyber attacks out of China, hackers returned to the scene of the crime again and again in order to extract as much data as possible. The DOJ reminds American enterprises that one-time hacks are unlikely, stressing the importance of working with experts.
The DOJ also reminds enterprises that their reputation is not at stake when reporting cyber crimes. Enterprise C-suite and board members should not be concerned that the DOJ will poke around where it doesn’t belong, expose the corporation, or punish the corporation. Further, the DOJ does not release the names of the enterprises it investigates. Conversely, by not reporting a breach to the DOJ, an organization runs the risk of the breach being leaked to the media or discovered by other nefarious actors.
Zero Day threats are a risk to every organization. Especially with more and more people working from home, it is imperative that all security measures available are utilized such as:
- Firewalls – Beyond simply installing a firewall, be sure to configure its settings so that only necessary transactions are allowed.
- Essential Applications – The more third-party software an enterprise has, the more risk it takes on. Limit applications to the essential ones and try to utilize several applications from the same vendor.
- Patches – Don’t ignore patch and system updates. Download them immediately upon notification. Patches fix software and operating system vulnerabilities which reduces malware risks.
- HIPS – A host intrusion prevention system (HIPS) is a software program that monitors a single host’s code for disruptions, blocks the system from any changes, and notifies the user. It goes a step further than traditional antivirus software as it does more than just detect.
Read More: Incident Of The Week